github.com/verrazzano/verrazzano@v1.7.0/application-operator/controllers/webhooks/project_authorization_policy_test.go (about) 1 // Copyright (c) 2021, 2022, Oracle and/or its affiliates. 2 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. 3 4 package webhooks 5 6 import ( 7 "context" 8 "testing" 9 10 "github.com/stretchr/testify/assert" 11 cluv1alpha1 "github.com/verrazzano/verrazzano/application-operator/apis/clusters/v1alpha1" 12 "github.com/verrazzano/verrazzano/application-operator/constants" 13 "go.uber.org/zap" 14 securityv1beta1 "istio.io/api/security/v1beta1" 15 "istio.io/api/type/v1beta1" 16 clisecurity "istio.io/client-go/pkg/apis/security/v1beta1" 17 istiofake "istio.io/client-go/pkg/clientset/versioned/fake" 18 corev1 "k8s.io/api/core/v1" 19 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 20 "k8s.io/apimachinery/pkg/runtime" 21 "k8s.io/client-go/kubernetes/fake" 22 ctrlfake "sigs.k8s.io/controller-runtime/pkg/client/fake" 23 ) 24 25 // TestDeleteOnePolicyOneNamespace tests when an authorization policy is cleaned up 26 // GIVEN a single project with one namespace and a single authorization policy 27 // WHEN cleanupAuthorizationPoliciesForProjects is called 28 // THEN the cleanupAuthorizationPoliciesForProjects should return success 29 func TestDeleteOnePolicyOneNamespace(t *testing.T) { 30 scheme := runtime.NewScheme() 31 err := cluv1alpha1.AddToScheme(scheme) 32 assert.NoError(t, err, "Unexpected error adding to scheme") 33 client := ctrlfake.NewClientBuilder().WithScheme(scheme).Build() 34 35 ap := &AuthorizationPolicy{ 36 Client: client, 37 KubeClient: fake.NewSimpleClientset(), 38 IstioClient: istiofake.NewSimpleClientset(), 39 } 40 41 // Create a project in the verrazzano-mc namespace 42 project := &cluv1alpha1.VerrazzanoProject{ 43 ObjectMeta: metav1.ObjectMeta{ 44 Name: "test-project", 45 Namespace: "verrazzano-mc", 46 }, 47 Spec: cluv1alpha1.VerrazzanoProjectSpec{ 48 Template: cluv1alpha1.ProjectTemplate{ 49 Namespaces: []cluv1alpha1.NamespaceTemplate{ 50 {Metadata: metav1.ObjectMeta{ 51 Name: "appconfig-namespace", 52 }}, 53 }, 54 }, 55 Placement: cluv1alpha1.Placement{ 56 Clusters: []cluv1alpha1.Cluster{ 57 { 58 Name: constants.DefaultClusterName, 59 }, 60 }, 61 }, 62 }, 63 } 64 err = ap.Client.Create(context.TODO(), project) 65 assert.NoError(t, err, "Unexpected error creating Verrazzano project") 66 67 // Create a Istio authorization policy in the projects namespace 68 authzPolicy := &clisecurity.AuthorizationPolicy{ 69 ObjectMeta: metav1.ObjectMeta{ 70 Name: "appconfig-name", 71 Namespace: "appconfig-namespace", 72 Labels: map[string]string{ 73 IstioAppLabel: "appconfig-name", 74 }, 75 OwnerReferences: []metav1.OwnerReference{ 76 { 77 Name: "appconfig-name", 78 Kind: "ApplicationConfiguration", 79 }, 80 }, 81 }, 82 Spec: securityv1beta1.AuthorizationPolicy{ 83 Selector: &v1beta1.WorkloadSelector{ 84 MatchLabels: map[string]string{ 85 IstioAppLabel: "appconfig-name", 86 }, 87 }, 88 }, 89 } 90 91 _, err = ap.IstioClient.SecurityV1beta1().AuthorizationPolicies("appconfig-namespace").Create(context.TODO(), authzPolicy, metav1.CreateOptions{}) 92 assert.NoError(t, err, "Unexpected error creating authorization policies") 93 94 err = ap.cleanupAuthorizationPoliciesForProjects("appconfig-namespace", "appconfig-name", zap.S()) 95 assert.NoError(t, err, "Unexpected error cleaning up authorization policies") 96 } 97 98 // TestDeleteTwoPoliciesOneNamespace tests when an authorization policy is cleaned up 99 // GIVEN a single projects with one namespace and two authorization policies 100 // WHEN cleanupAuthorizationPoliciesForProjects is called 101 // THEN the cleanupAuthorizationPoliciesForProjects should return success and cleanup the authorization policy of 102 // the remaining authorization policy 103 func TestDeleteTwoPoliciesOneNamespace(t *testing.T) { 104 scheme := runtime.NewScheme() 105 err := cluv1alpha1.AddToScheme(scheme) 106 assert.NoError(t, err, "Unexpected error adding to scheme") 107 client := ctrlfake.NewClientBuilder().WithScheme(scheme).Build() 108 109 ap := &AuthorizationPolicy{ 110 Client: client, 111 KubeClient: fake.NewSimpleClientset(), 112 IstioClient: istiofake.NewSimpleClientset(), 113 } 114 115 // Create a project in the verrazzano-mc namespace 116 project := &cluv1alpha1.VerrazzanoProject{ 117 ObjectMeta: metav1.ObjectMeta{ 118 Name: "test-project", 119 Namespace: "verrazzano-mc", 120 }, 121 Spec: cluv1alpha1.VerrazzanoProjectSpec{ 122 Template: cluv1alpha1.ProjectTemplate{ 123 Namespaces: []cluv1alpha1.NamespaceTemplate{ 124 {Metadata: metav1.ObjectMeta{ 125 Name: "appconfig-namespace", 126 }}, 127 }, 128 }, 129 Placement: cluv1alpha1.Placement{ 130 Clusters: []cluv1alpha1.Cluster{ 131 { 132 Name: constants.DefaultClusterName, 133 }, 134 }, 135 }, 136 }, 137 } 138 err = ap.Client.Create(context.TODO(), project) 139 assert.NoError(t, err, "Unexpected error creating Verrazzano project") 140 141 // Create a pod for appconfig-name1 in the projects namespace 142 pod := &corev1.Pod{ 143 ObjectMeta: metav1.ObjectMeta{ 144 Name: "test-pod1", 145 Namespace: "appconfig-namespace", 146 Labels: map[string]string{ 147 IstioAppLabel: "appconfig-name1", 148 }, 149 OwnerReferences: []metav1.OwnerReference{ 150 { 151 Name: "appconfig-name1", 152 Kind: "ApplicationConfiguration", 153 APIVersion: "core.oam.dev/v1alpha2", 154 }, 155 }, 156 }, 157 Spec: corev1.PodSpec{ 158 ServiceAccountName: "appconfig-name1", 159 }, 160 } 161 _, err = ap.KubeClient.CoreV1().Pods("appconfig-namespace").Create(context.TODO(), pod, metav1.CreateOptions{}) 162 assert.NoError(t, err, "Unexpected error creating pod") 163 164 // Create an authorization policy for appconfig-name1 in the projects namespace 165 authzPolicy := &clisecurity.AuthorizationPolicy{ 166 ObjectMeta: metav1.ObjectMeta{ 167 Name: "appconfig-name1", 168 Namespace: "appconfig-namespace", 169 Labels: map[string]string{ 170 IstioAppLabel: "appconfig-name1", 171 }, 172 OwnerReferences: []metav1.OwnerReference{ 173 { 174 Name: "appconfig-name1", 175 Kind: "ApplicationConfiguration", 176 }, 177 }, 178 }, 179 Spec: securityv1beta1.AuthorizationPolicy{ 180 Selector: &v1beta1.WorkloadSelector{ 181 MatchLabels: map[string]string{ 182 IstioAppLabel: "appconfig-name1", 183 }, 184 }, 185 Rules: []*securityv1beta1.Rule{ 186 { 187 From: []*securityv1beta1.Rule_From{ 188 { 189 Source: &securityv1beta1.Source{ 190 Principals: []string{ 191 "cluster.local/ns/appconfig-namespace/sa/appconfig-name1", 192 "cluster.local/ns/appconfig-namespace/sa/appconfig-name2", 193 "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account", 194 "cluster.local/ns/verrazzano-system/sa/verrazzano-monitoring-operator", 195 }, 196 }, 197 }, 198 }, 199 }, 200 }, 201 }, 202 } 203 204 _, err = ap.IstioClient.SecurityV1beta1().AuthorizationPolicies("appconfig-namespace").Create(context.TODO(), authzPolicy, metav1.CreateOptions{}) 205 assert.NoError(t, err, "Unexpected error creating authorization policies") 206 207 // Create a pod for appconfig-name2 in the projects namespace 208 pod = &corev1.Pod{ 209 ObjectMeta: metav1.ObjectMeta{ 210 Name: "test-pod2", 211 Namespace: "appconfig-namespace", 212 Labels: map[string]string{ 213 IstioAppLabel: "appconfig-name2", 214 }, 215 OwnerReferences: []metav1.OwnerReference{ 216 { 217 Name: "appconfig-name2", 218 Kind: "ApplicationConfiguration", 219 APIVersion: "core.oam.dev/v1alpha2", 220 }, 221 }, 222 }, 223 Spec: corev1.PodSpec{ 224 ServiceAccountName: "appconfig-name2", 225 }, 226 } 227 _, err = ap.KubeClient.CoreV1().Pods("appconfig-namespace").Create(context.TODO(), pod, metav1.CreateOptions{}) 228 assert.NoError(t, err, "Unexpected error creating pod") 229 230 // Create an authorization policy for appconfig-name2 in the projects namespace 231 authzPolicy2 := &clisecurity.AuthorizationPolicy{ 232 ObjectMeta: metav1.ObjectMeta{ 233 Name: "appconfig-name2", 234 Namespace: "appconfig-namespace", 235 Labels: map[string]string{ 236 IstioAppLabel: "appconfig-name2", 237 }, 238 OwnerReferences: []metav1.OwnerReference{ 239 { 240 Name: "appconfig-name2", 241 Kind: "ApplicationConfiguration", 242 }, 243 }, 244 }, 245 Spec: securityv1beta1.AuthorizationPolicy{ 246 Selector: &v1beta1.WorkloadSelector{ 247 MatchLabels: map[string]string{ 248 IstioAppLabel: "appconfig-name2", 249 }, 250 }, 251 Rules: []*securityv1beta1.Rule{ 252 { 253 From: []*securityv1beta1.Rule_From{ 254 { 255 Source: &securityv1beta1.Source{ 256 Principals: []string{ 257 "cluster.local/ns/appconfig-namespace/sa/appconfig-name1", 258 "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account", 259 "cluster.local/ns/verrazzano-system/sa/verrazzano-monitoring-operator", 260 "cluster.local/ns/appconfig-namespace/sa/appconfig-name2", 261 }, 262 }, 263 }, 264 }, 265 }, 266 }, 267 }, 268 } 269 270 _, err = ap.IstioClient.SecurityV1beta1().AuthorizationPolicies("appconfig-namespace").Create(context.TODO(), authzPolicy2, metav1.CreateOptions{}) 271 assert.NoError(t, err, "Unexpected error creating authorization policies") 272 273 err = ap.cleanupAuthorizationPoliciesForProjects("appconfig-namespace", "appconfig-name1", zap.S()) 274 assert.NoError(t, err, "Unexpected error cleaning up authorization policies") 275 276 updatedPolicy, err := ap.IstioClient.SecurityV1beta1().AuthorizationPolicies("appconfig-namespace").Get(context.TODO(), "appconfig-name2", metav1.GetOptions{}) 277 assert.NoError(t, err, "Unexpected error getting authorization policies") 278 assert.Equal(t, len(updatedPolicy.Spec.Rules[0].From[0].Source.Principals), 3) 279 assert.Contains(t, updatedPolicy.Spec.Rules[0].From[0].Source.Principals, "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account") 280 assert.Contains(t, updatedPolicy.Spec.Rules[0].From[0].Source.Principals, "cluster.local/ns/appconfig-namespace/sa/appconfig-name2") 281 assert.Contains(t, updatedPolicy.Spec.Rules[0].From[0].Source.Principals, "cluster.local/ns/verrazzano-system/sa/verrazzano-monitoring-operator") 282 } 283 284 // TestDeleteThreePoliciesTwoNamespace tests when an authorization policy is cleaned up 285 // GIVEN a single projects with two namespace and three authorization policies 286 // WHEN cleanupAuthorizationPoliciesForProjects is called 287 // THEN the cleanupAuthorizationPoliciesForProjects should return success and cleanup the authorization policy of 288 // the remaining authorization policies 289 func TestDeleteThreePoliciesTwoNamespace(t *testing.T) { 290 scheme := runtime.NewScheme() 291 err := cluv1alpha1.AddToScheme(scheme) 292 assert.NoError(t, err, "Unexpected error adding to scheme") 293 client := ctrlfake.NewClientBuilder().WithScheme(scheme).Build() 294 295 ap := &AuthorizationPolicy{ 296 Client: client, 297 KubeClient: fake.NewSimpleClientset(), 298 IstioClient: istiofake.NewSimpleClientset(), 299 } 300 301 // Create a project in the verrazzano-mc namespace with two namespaces 302 project := &cluv1alpha1.VerrazzanoProject{ 303 ObjectMeta: metav1.ObjectMeta{ 304 Name: "test-project", 305 Namespace: "verrazzano-mc", 306 }, 307 Spec: cluv1alpha1.VerrazzanoProjectSpec{ 308 Template: cluv1alpha1.ProjectTemplate{ 309 Namespaces: []cluv1alpha1.NamespaceTemplate{ 310 {Metadata: metav1.ObjectMeta{ 311 Name: "appconfig-namespace1", 312 }}, 313 {Metadata: metav1.ObjectMeta{ 314 Name: "appconfig-namespace2", 315 }}, 316 }, 317 }, 318 Placement: cluv1alpha1.Placement{ 319 Clusters: []cluv1alpha1.Cluster{ 320 { 321 Name: constants.DefaultClusterName, 322 }, 323 }, 324 }, 325 }, 326 } 327 err = ap.Client.Create(context.TODO(), project) 328 assert.NoError(t, err, "Unexpected error creating Verrazzano project") 329 330 // Create a pod for appconfig-name1 in the project namespace appconfig-namespace1 331 pod := &corev1.Pod{ 332 ObjectMeta: metav1.ObjectMeta{ 333 Name: "test-pod1", 334 Namespace: "appconfig-namespace1", 335 Labels: map[string]string{ 336 IstioAppLabel: "appconfig-name1", 337 }, 338 OwnerReferences: []metav1.OwnerReference{ 339 { 340 Name: "appconfig-name1", 341 Kind: "ApplicationConfiguration", 342 APIVersion: "core.oam.dev/v1alpha2", 343 }, 344 }, 345 }, 346 Spec: corev1.PodSpec{ 347 ServiceAccountName: "appconfig-name1", 348 }, 349 } 350 _, err = ap.KubeClient.CoreV1().Pods("appconfig-namespace1").Create(context.TODO(), pod, metav1.CreateOptions{}) 351 assert.NoError(t, err, "Unexpected error creating pod") 352 353 // Create an authorization policy for appconfig-name1 in the project namespace appconfig-namespace1 354 authzPolicy := &clisecurity.AuthorizationPolicy{ 355 ObjectMeta: metav1.ObjectMeta{ 356 Name: "appconfig-name1", 357 Namespace: "appconfig-namespace1", 358 Labels: map[string]string{ 359 IstioAppLabel: "appconfig-name1", 360 }, 361 OwnerReferences: []metav1.OwnerReference{ 362 { 363 Name: "appconfig-name1", 364 Kind: "ApplicationConfiguration", 365 }, 366 }, 367 }, 368 Spec: securityv1beta1.AuthorizationPolicy{ 369 Selector: &v1beta1.WorkloadSelector{ 370 MatchLabels: map[string]string{ 371 IstioAppLabel: "appconfig-name1", 372 }, 373 }, 374 Rules: []*securityv1beta1.Rule{ 375 { 376 From: []*securityv1beta1.Rule_From{ 377 { 378 Source: &securityv1beta1.Source{ 379 Principals: []string{ 380 "cluster.local/ns/appconfig-namespace1/sa/appconfig-name1", 381 "cluster.local/ns/appconfig-namespace1/sa/appconfig-name2", 382 "cluster.local/ns/appconfig-namespace2/sa/appconfig-name3", 383 "cluster.local/ns/appconfig-namespace2/sa/random-sa", 384 "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account", 385 "cluster.local/ns/verrazzano-system/sa/verrazzano-monitoring-operator", 386 }, 387 }, 388 }, 389 }, 390 }, 391 }, 392 }, 393 } 394 395 _, err = ap.IstioClient.SecurityV1beta1().AuthorizationPolicies("appconfig-namespace1").Create(context.TODO(), authzPolicy, metav1.CreateOptions{}) 396 assert.NoError(t, err, "Unexpected error creating authorization policies") 397 398 // Create a pod for appconfig-name2 in the project namespace appconfig-namespace1 399 pod = &corev1.Pod{ 400 ObjectMeta: metav1.ObjectMeta{ 401 Name: "test-pod2", 402 Namespace: "appconfig-namespace1", 403 Labels: map[string]string{ 404 IstioAppLabel: "appconfig-name2", 405 }, 406 OwnerReferences: []metav1.OwnerReference{ 407 { 408 Name: "appconfig-name2", 409 Kind: "ApplicationConfiguration", 410 APIVersion: "core.oam.dev/v1alpha2", 411 }, 412 }, 413 }, 414 Spec: corev1.PodSpec{ 415 ServiceAccountName: "appconfig-name2", 416 }, 417 } 418 _, err = ap.KubeClient.CoreV1().Pods("appconfig-namespace1").Create(context.TODO(), pod, metav1.CreateOptions{}) 419 assert.NoError(t, err, "Unexpected error creating pod") 420 421 // Create an authorization policy for appconfig-name2 in the project namespace appconfig-namespace1 422 authzPolicy = &clisecurity.AuthorizationPolicy{ 423 ObjectMeta: metav1.ObjectMeta{ 424 Name: "appconfig-name2", 425 Namespace: "appconfig-namespace1", 426 Labels: map[string]string{ 427 IstioAppLabel: "appconfig-name2", 428 }, 429 OwnerReferences: []metav1.OwnerReference{ 430 { 431 Name: "appconfig-name2", 432 Kind: "ApplicationConfiguration", 433 }, 434 }, 435 }, 436 Spec: securityv1beta1.AuthorizationPolicy{ 437 Selector: &v1beta1.WorkloadSelector{ 438 MatchLabels: map[string]string{ 439 IstioAppLabel: "appconfig-name2", 440 }, 441 }, 442 Rules: []*securityv1beta1.Rule{ 443 { 444 From: []*securityv1beta1.Rule_From{ 445 { 446 Source: &securityv1beta1.Source{ 447 Principals: []string{ 448 "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account", 449 "cluster.local/ns/verrazzano-system/sa/verrazzano-monitoring-operator", 450 "cluster.local/ns/appconfig-namespace1/sa/appconfig-name1", 451 "cluster.local/ns/appconfig-namespace1/sa/appconfig-name2", 452 "cluster.local/ns/appconfig-namespace2/sa/appconfig-name3", 453 "cluster.local/ns/appconfig-namespace2/sa/random-sa", 454 }, 455 }, 456 }, 457 }, 458 }, 459 }, 460 }, 461 } 462 463 _, err = ap.IstioClient.SecurityV1beta1().AuthorizationPolicies("appconfig-namespace1").Create(context.TODO(), authzPolicy, metav1.CreateOptions{}) 464 assert.NoError(t, err, "Unexpected error creating authorization policies") 465 466 // Create a pod for appconfig-name3 in the project namespace appconfig-namespace2 467 pod = &corev1.Pod{ 468 ObjectMeta: metav1.ObjectMeta{ 469 Name: "test-pod3", 470 Namespace: "appconfig-namespace2", 471 Labels: map[string]string{ 472 IstioAppLabel: "appconfig-name3", 473 }, 474 OwnerReferences: []metav1.OwnerReference{ 475 { 476 Name: "appconfig-name3", 477 Kind: "ApplicationConfiguration", 478 APIVersion: "core.oam.dev/v1alpha2", 479 }, 480 }, 481 }, 482 Spec: corev1.PodSpec{ 483 ServiceAccountName: "appconfig-name3", 484 }, 485 } 486 _, err = ap.KubeClient.CoreV1().Pods("appconfig-namespace2").Create(context.TODO(), pod, metav1.CreateOptions{}) 487 assert.NoError(t, err, "Unexpected error creating pod") 488 489 // Create an authorization policy for appconfig-name3 in the project namespace appconfig-namespace2 490 authzPolicy2 := &clisecurity.AuthorizationPolicy{ 491 ObjectMeta: metav1.ObjectMeta{ 492 Name: "appconfig-name3", 493 Namespace: "appconfig-namespace2", 494 Labels: map[string]string{ 495 IstioAppLabel: "appconfig-name3", 496 }, 497 OwnerReferences: []metav1.OwnerReference{ 498 { 499 Name: "appconfig-name3", 500 Kind: "ApplicationConfiguration", 501 }, 502 }, 503 }, 504 Spec: securityv1beta1.AuthorizationPolicy{ 505 Selector: &v1beta1.WorkloadSelector{ 506 MatchLabels: map[string]string{ 507 IstioAppLabel: "appconfig-name3", 508 }, 509 }, 510 Rules: []*securityv1beta1.Rule{ 511 { 512 From: []*securityv1beta1.Rule_From{ 513 { 514 Source: &securityv1beta1.Source{ 515 Principals: []string{ 516 "cluster.local/ns/appconfig-namespace1/sa/appconfig-name1", 517 "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account", 518 "cluster.local/ns/verrazzano-system/sa/verrazzano-monitoring-operator", 519 "cluster.local/ns/appconfig-namespace1/sa/appconfig-name2", 520 "cluster.local/ns/appconfig-namespace2/sa/appconfig-name3", 521 "cluster.local/ns/appconfig-namespace2/sa/random-sa", 522 }, 523 }, 524 }, 525 }, 526 }, 527 }, 528 }, 529 } 530 531 _, err = ap.IstioClient.SecurityV1beta1().AuthorizationPolicies("appconfig-namespace2").Create(context.TODO(), authzPolicy2, metav1.CreateOptions{}) 532 assert.NoError(t, err, "Unexpected error creating authorization policies") 533 534 err = ap.cleanupAuthorizationPoliciesForProjects("appconfig-namespace1", "appconfig-name1", zap.S()) 535 assert.NoError(t, err, "Unexpected error cleaning up authorization policies") 536 537 updatedPolicy, err := ap.IstioClient.SecurityV1beta1().AuthorizationPolicies("appconfig-namespace1").Get(context.TODO(), "appconfig-name2", metav1.GetOptions{}) 538 assert.NoError(t, err, "Unexpected error getting authorization policies") 539 assert.Equal(t, len(updatedPolicy.Spec.Rules[0].From[0].Source.Principals), 5) 540 assert.Contains(t, updatedPolicy.Spec.Rules[0].From[0].Source.Principals, "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account") 541 assert.Contains(t, updatedPolicy.Spec.Rules[0].From[0].Source.Principals, "cluster.local/ns/appconfig-namespace1/sa/appconfig-name2") 542 assert.Contains(t, updatedPolicy.Spec.Rules[0].From[0].Source.Principals, "cluster.local/ns/verrazzano-system/sa/verrazzano-monitoring-operator") 543 assert.Contains(t, updatedPolicy.Spec.Rules[0].From[0].Source.Principals, "cluster.local/ns/appconfig-namespace2/sa/appconfig-name3") 544 assert.Contains(t, updatedPolicy.Spec.Rules[0].From[0].Source.Principals, "cluster.local/ns/appconfig-namespace2/sa/random-sa") 545 546 updatedPolicy, err = ap.IstioClient.SecurityV1beta1().AuthorizationPolicies("appconfig-namespace2").Get(context.TODO(), "appconfig-name3", metav1.GetOptions{}) 547 assert.NoError(t, err, "Unexpected error getting authorization policies") 548 assert.Equal(t, len(updatedPolicy.Spec.Rules[0].From[0].Source.Principals), 5) 549 assert.Contains(t, updatedPolicy.Spec.Rules[0].From[0].Source.Principals, "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account") 550 assert.Contains(t, updatedPolicy.Spec.Rules[0].From[0].Source.Principals, "cluster.local/ns/appconfig-namespace1/sa/appconfig-name2") 551 assert.Contains(t, updatedPolicy.Spec.Rules[0].From[0].Source.Principals, "cluster.local/ns/verrazzano-system/sa/verrazzano-monitoring-operator") 552 assert.Contains(t, updatedPolicy.Spec.Rules[0].From[0].Source.Principals, "cluster.local/ns/appconfig-namespace2/sa/appconfig-name3") 553 assert.Contains(t, updatedPolicy.Spec.Rules[0].From[0].Source.Principals, "cluster.local/ns/appconfig-namespace2/sa/random-sa") 554 }